Cleaning Up the Federal Cyber Debacle
America’s digital infrastructure is under constant attack. I know this not only from reading the news, but also from spending nine years as an undercover CIA officer and four years as a senior adviser with FusionX, the cybersecurity firm where I worked before being elected to Congress. The U.S.’s adversaries are constantly trying to steal its private-sector innovations and military and intelligence secrets.
The recent theft of millions of federal-employee personnel records from the Office of Personnel Management is only the latest in a string of high-profile data breaches. It is also a perfect example of the federal government’s prevarication and hypocrisy when it comes to handling cybersecurity incidents.
On June 4, federal authorities confirmed a data breach at the OPM that not only compromised the computer systems but also may have resulted in the exfiltration of highly sensitive information. The OPM initially reported that the personally identifiable information, such as Social Security numbers, of more than four million current, former and retired federal employees was compromised. The estimate has since been revised to 18 million.
It gets worse: The White House a week later confirmed a second intrusion, into the database that houses the highly personal data of those with, or who are pursuing, security clearances. As this newspaper reported on Wednesday, the security-clearance theft “was disclosed a week later, even though investigators knew about it much earlier.” At this point, the administration appears unable to say how many Americans have had their data compromised.
OPM Director Katherine Archuleta appeared before my colleagues and me at a recent hearing of the House Committee on Oversight and Government Reform. She declined to apologize for, or even acknowledge, her agency’s refusal to implement security best practices recommended for several years by the OPM’s own inspector general, Patrick E. McFarland. In report after report going back to 2010, the OPM’s Office of the Inspector General had identified insecure, outdated and poorly managed IT systems and practices that left the agency’s information vulnerable.
The hypocrisy is that while the government leaves its networks and the data of millions of Americans at risk, it fines private companies for security breaches. Last year the Department of Health and Human Services levied a $4.8 million fine against New York Presbyterian Hospital and Columbia University Medical Center for a security breach that left 6,800 people’s medical records open to the Internet and visible from search engines. In its 2014 review, the Federal Trade Commission boasted that it had brought more than 50 cases against companies that put consumers’ personal data at unreasonable risk.
When FusionX conducted cybersecurity assessments of private firms, I saw how companies placed a priority on protecting their digital infrastructure. If our review found a vulnerability that needed immediate remediation, we would alert our customer of the issue and it would be resolved. Often high-risk problems were fixed even before our final report was written. Why? Because the private sector is held accountable—by shareholders and the public, by civil or criminal litigation, and by the market forces that drive the economy.
After last year’s hack of the giant retailer Target, which compromised the information of an estimated 70 million customers, the CEO and chairman of the board stepped down. This was in part because Target acknowledged that warning signs related to the attack were ignored before the breach became public.
If federal agencies wish to provide effective oversight of the private sector, then they should start by looking in the mirror. Despite clear warnings provided to the OPM, and its failure to heed them, no one has been held accountable.
This needs to be a watershed moment for cybersecurity in the federal government. Other agencies have the same problems as the OPM, deploying outdated legacy systems and exercising poor cyberhygiene. In the wake of this data breach, the heads of other agencies should pull out their own inspector-general reports and begin to address their vulnerabilities.
A strong message must be sent to the public and the employees of the federal government that we take cybersecurity seriously.
Earlier this year, I asked Gene Dodaro, the long-tenured head of the Government Accountability Office, if he could recall ever seeing any federal government employee fired for delays or cost overruns on IT projects. After a long pause, he could not name a single instance. This “do as I say, not as I do” culture runs rampant in Washington. Our government demands accountability from others but offers little itself.
Until the leaders of our federal agencies implement solid cybersecurity measures—such as strong authentication, network monitoring, state-of-the-art data encryption and robust system hygiene—we will continue to play catch-up to our highly sophisticated and well-funded adversaries. The refusal at the Office of Personnel Management to take responsibility and move swiftly to address significant deficiencies leads to only one conclusion. Accountability starts at the top. It’s time for a change in leadership at the OPM.
Rep. Hurd, a Republican, represents Texas’ 23rd congressional district. A former undercover CIA officer, he sits on the Homeland Security Committee and is chairman of the IT Subcommittee for Oversight and Government Reform.
Reprinted from The Wall Street Journal © 2015 Dow Jones & Company. All rights reserved.